When a cookie has HttpOnly flag set, then JavaScript cannot read it in case of XSS exploitation. This is actually the reason why HttpOnly flag was introduced. As it can be seen, HttpOnly flag puts some restriction on cookie reading by JavaScript. Does it mean that the attacker is stopped at this point? Reading is prevented, but what about writing? HttpOnly flag was not introduced to prevent writing, so this might be potentially interesting. It turns out that HttpOnly flag can be overwritten by JavaScript in some browsers, and this overwriting possibility can be used by the attacker to launch a session fixation attack, what is the subject of the article.

2. Overwriting a cookie with HttpOnly flag by JavaScript

When JavaScript can overwrite a cookie with HttpOnly flag, then the attacker can launch a session fixation attack via an HttpOnly cookie in case of XSS exploitation (you can read about session fixation attack in one of my previous articles [1]).

As a consequence of a session fixation attack, the attacker can impersonate the victim, as he knows the victim’s session ID. The assumption here is that the session is not regenerated in the application after successful login. One can say at this point, that the flaw is in the application itself, because the application does not regenerate the session after successful login. This is true, but there is no reason to allow JavaScript to overwrite HttpOnly flag in some browsers, and this overwriting possibility can be used to take advantage of no session regeneration in the application after successful login in order to finally launch a session fixation attack.

What about the case when session ID is regenerated after successful login? Can it be used somehow by the attacker? Then the attacker can switch a user to his own account by setting the user’s session to the one that the attacker is currently using. Then the user thinks that he is using his own account, and actually enters some sensitive information to the attacker’s account.

3. Browsers which allow JavaScript to overwrite HttpOnly cookie

I found that the following browsers allow JavaScript to overwrite HttpOnly cookies:

Safari

Opera Mobile

Opera Mini

BlackBerry browser

Konqueror browser

The problem was reported to the vendors (4 February 2014).

Internet Explorer, Firefox and Opera (standard install) are not vulnerable to the aforementioned attack.

4. Response from vendors

Opera Software confirmed the problem in Opera Mobile and Opera Mini. They decided to fix the issue in Opera Mini (date of fixing has not been determined). Although Opera Mobile was available on Google Play at the time of submission, Opera Software considered it to be legacy and didn’t decide to fix it (they responded that the replacement is Opera for Android, which prevents JavaScript from overwriting HttpOnly cookie).

BlackBerry responded that PlayBook tablet OS (I used this one while testing) has been announced as out of support as of April 2014 and the issue will not be fixed. However, the issue was reported before the OS end of support was announced and they decided to put me on Acknowledgements 2014 list of BlackBerry Security Incident Response Team (due to their policy my name will be put there by the end of April 2014) [2].

The issue was confirmed in Konqueror, but probably it will not be fixed. The conversation about this bug is available in KDE Bugtracking System [3].

The issue was reported to Apple two months ago, and since then I haven’t received any feedback from them.

The procedure is as follows – run it and then see that cookie1 (which has set HttpOnly flag) has been overwritten by JavaScript.

6. Summary

HttpOnly flag was introduced to prevent JavaScript from reading a cookie with HttpOnly flag. It turns out, however, that a cookie with HttpOnly flag can be overwritten by JavaScript in some browsers, what can be used by the attacker to launch session fixation attack. It was presented, which browsers allow JavaScript to overwrite HttpOnly cookie together with response from vendors. Finally, a simple piece of code was demonstrated to play with this issue.

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing services with a results-driven approach. He also works as Security Architect at Future Processing.
Dawid shares his bug hunting experience in his workshop entitled "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". To find out about the latest in Dawid's work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

+ = eight

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam